MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 22


Intelligence 22 IOCs 1 YARA 47 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980
SHA3-384 hash: 274bbd42aca38fa055cc673afca74678230a2ebf3e87302bf55c180978c092b0438d6d9d2314595fdc20c113ef9da07f
SHA1 hash: 1b2a6b85eb22763a2fec39dbfbf9e3ff5ddd076b
MD5 hash: 409c9b9ee6609092b36b16ad0903a3c5
humanhash: romeo-bulldog-thirteen-three
File name:409c9b9ee6609092b36b16ad0903a3c5.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:3'393'024 bytes
First seen:2025-09-06 04:50:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:YwNupe2WYlULzbQPAbozU6KdBd/e6CuUayPbr/7X:YwMpnnl6E
Threatray 52 similar samples on MalwareBazaar
TLSH T1D0F55D41ABE8CE1BE1BF6775A5B2010017F1F449A726D74B1B90E6B82C937406D1A3BF
TrID 44.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
25.0% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
9.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.3% (.EXE) Win64 Executable (generic) (10522/11/4)
3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
192.159.99.13:7000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.159.99.13:7000 https://threatfox.abuse.ch/ioc/1582713/

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
409c9b9ee6609092b36b16ad0903a3c5.exe
Verdict:
Malicious activity
Analysis date:
2025-09-06 04:53:24 UTC
Tags:
auto-reg rat asyncrat remote stealer generic ims-api stormkitty auto-startup telegram xworm crypto-regex dcrat github braincipher ransomware lockbit upx babylon
Link:
https://app.any.run/tasks/6a07703e-1c8f-49e6-bb5e-8eb3a60fe015

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ArrowRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25945/
Detection(s):
SecuriteInfo.com.PUA.InfoLeak-1.UNOFFICIAL
Create hunting rule

Win.Packed.Razy-9807129-0
Create hunting rule

Win.Packed.Adwarex-9851111-0
Create hunting rule

Win.Packed.Datastealer-9856291-0
Create hunting rule

Win.Malware.Generickdz-9865912-0
Create hunting rule

Win.Packed.Bulz-9891112-0
Create hunting rule

Win.Trojan.AsyncRAT-9914220-0
Create hunting rule

Win.Malware.Bulz-9916789-0
Create hunting rule

Win.Packed.AsyncRAT-9938103-1
Create hunting rule

Win.Malware.Bulz-9982456-0
Create hunting rule

Win.Packed.Msilzilla-10005487-0
Create hunting rule

Win.Packed.Tedy-10017583-0
Create hunting rule

Win.Malware.Zusy-10034587-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bbbdd23e988eb6ab83ff92
Tags:
infosteal asyncrat autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Creating a window
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Searching for synchronization primitives
Sending an HTTP GET request
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla anti-debug anti-vm asyncrat base64 cmd configsecuritypolicy control evasive explorer explorer findstr fingerprint fingerprint hacktool infostealer lolbin lolbin mpcmdrun msconfig msiexec neshta netsh njrat njrat obfuscated obfuscated privilege rat razy reconnaissance regedit schtasks stealer stormkitty threat unsafe vbnet venomrat virus windows
Link:
https://www.filescan.io/uploads/68bbbdd0fe1969faa8a6fe51/reports/a6a186b4-79ed-4756-81f8-61a7e93bd0dc/overview
Verdict:
Malicious
Labled as:
Dump:Generic.Trojan.Cryo.Marte.D
Link:
https://www.hybrid-analysis.com/sample/af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-31T12:19:00Z UTC
Last seen:
2025-08-31T12:19:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980/results?tab=lookup
Malware family:
Stealerium Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bcd5ae2-1c40-463f-b554-fcbcc918b9ed
Result
Threat name:
AsyncRAT, Dacic, KeyLogger, NeptuneRAT,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772199
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Creates multiple autostart registry keys
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected Dacic
Yara detected Keylogger Generic
Yara detected NeptuneRAT
Yara detected ParadoxRAT
Yara detected RedLine Stealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected VenomRAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772199 Sample: 3Q7am57Fik.exe Startdate: 06/09/2025 Architecture: WINDOWS Score: 100 128 api.telegram.org 2->128 130 raw.githubusercontent.com 2->130 162 Suricata IDS alerts for network traffic 2->162 164 Found malware configuration 2->164 166 Malicious sample detected (through community Yara rule) 2->166 170 25 other signatures 2->170 12 Wihnup.exe 15 28 2->12         started        17 3Q7am57Fik.exe 8 2->17         started        19 msedge.exe 2->19         started        21 7 other processes 2->21 signatures3 168 Uses the Telegram API (likely for C&C communication) 128->168 process4 dnsIp5 144 192.159.99.13, 1417, 20000, 35361 CYBERLYNKUS United Kingdom 12->144 146 127.0.0.1 unknown unknown 12->146 108 C:\Users\user\AppData\Local\Temp\sysnt.exe, PE32 12->108 dropped 110 C:\Users\user\AppData\Local\Temp\Wihnup.exe, PE32 12->110 dropped 194 Multi AV Scanner detection for dropped file 12->194 196 Attempt to bypass Chrome Application-Bound Encryption 12->196 198 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->198 206 2 other signatures 12->206 23 cmd.exe 12->23         started        26 chrome.exe 12->26         started        29 msedge.exe 12->29         started        112 C:\Users\user\AppData\Roaming\Wihnup.exe, PE32 17->112 dropped 114 C:\Users\user\AppData\...\3Q7am57Fik.exe.log, CSV 17->114 dropped 200 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->200 31 cmd.exe 1 17->31         started        33 cmd.exe 1 17->33         started        148 239.255.255.250 unknown Reserved 19->148 116 C:\Users\user\AppData\Local\...\Login Data, SQLite 19->116 dropped 118 C:\Users\user\AppData\Local\...\History, SQLite 19->118 dropped 202 Maps a DLL or memory area into another process 19->202 35 msedge.exe 19->35         started        37 msedge.exe 19->37         started        39 msedge.exe 19->39         started        41 2 other processes 19->41 204 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->204 file6 signatures7 process8 dnsIp9 186 Suspicious powershell command line found 23->186 43 powershell.exe 23->43         started        45 conhost.exe 23->45         started        136 192.168.2.4, 1417, 20000, 31744 unknown unknown 26->136 47 chrome.exe 26->47         started        50 msedge.exe 29->50         started        188 Bypasses PowerShell execution policy 31->188 190 Uses schtasks.exe or at.exe to add and modify task schedules 31->190 52 conhost.exe 31->52         started        54 schtasks.exe 1 31->54         started        56 conhost.exe 33->56         started        58 timeout.exe 1 33->58         started        60 Wihnup.exe 33->60         started        138 r.msftstatic.com 35->138 140 ntp.msn.com 35->140 142 36 other IPs or domains 35->142 signatures10 process11 dnsIp12 62 sysnt.exe 43->62         started        152 www.google.com 142.250.65.228, 443, 49735, 49736 GOOGLEUS United States 47->152 process13 dnsIp14 150 api.telegram.org 149.154.167.220, 443, 49789 TELEGRAMRU United Kingdom 62->150 120 C:\Users\user\AppData\Roaming\sysnt.exe, PE32 62->120 dropped 122 C:\Users\user\AppData\Local\Temp\ptghio.exe, PE32 62->122 dropped 124 C:\Users\user\AppData\Local\Temp\pmmtki.exe, PE32 62->124 dropped 126 3 other malicious files 62->126 dropped 154 Multi AV Scanner detection for dropped file 62->154 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 62->156 158 Protects its processes via BreakOnTermination flag 62->158 160 3 other signatures 62->160 67 ptghio.exe 62->67         started        71 ditnfb.exe 62->71         started        74 dipkbp.exe 62->74         started        76 8 other processes 62->76 file15 signatures16 process17 dnsIp18 102 C:\ProgramData\.NeT\system32.exe, PE32 67->102 dropped 172 Creates multiple autostart registry keys 67->172 174 Contains functionality to steal Chrome passwords or cookies 67->174 176 Contains functionality to capture and log keystrokes 67->176 184 2 other signatures 67->184 78 system32.exe 67->78         started        132 raw.githubusercontent.com 185.199.111.133, 443, 49798 FASTLYUS Netherlands 71->132 134 193.161.193.99, 31744, 49799, 49800 BITREE-ASRU Russian Federation 71->134 104 C:\Users\user\AppData\Roaming\ditnfb.exe, PE32 71->104 dropped 178 Multi AV Scanner detection for dropped file 71->178 81 schtasks.exe 71->81         started        180 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 74->180 106 C:\Users\user\AppData\Roaming\su.exe, PE32 76->106 dropped 182 Loading BitLocker PowerShell Module 76->182 83 cmd.exe 76->83         started        85 cmd.exe 76->85         started        87 conhost.exe 76->87         started        89 5 other processes 76->89 file19 signatures20 process21 signatures22 208 Antivirus detection for dropped file 78->208 210 Hides that the sample has been downloaded from the Internet (zone.identifier) 78->210 91 system32.exe 78->91         started        94 conhost.exe 81->94         started        96 conhost.exe 83->96         started        98 schtasks.exe 83->98         started        100 conhost.exe 85->100         started        process23 signatures24 192 Hides that the sample has been downloaded from the Internet (zone.identifier) 91->192
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980
Verdict:
njRat
YARA:
17 match(es)
Tags:
.Net Executable Managed .NET njRat PDB Path PE (Portable Executable) PE File Layout RAT SOS: 0.25 SOS: 0.33 Win 32 Exe x86
Link:
https://app.malva.re/file/409c9b9ee6609092b36b16ad0903a3c5
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980/
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-08-31 15:15:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4nl2qvwnxao3drh3nrg6ygbyv6d4qsom52azd6fg4tv4mgnfgaa._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a
XWorm
6cf0d4b7fd3371e339d9e52aa97cf50c9f2d0e662329507579f645e83e7285fe
XWorm
8abdfaddb041a5c65cf9d4971466474fa77887a62f633fd51476344ae11ce5f0
XWorm
c54bd7c3ec3b9183ac28dec038c43463b770ac78557aca0abd10e9620990108a
XWorm
c9feb68275bd9e097ac71b17a4659c7734dabe06cf440b2cea2d06ecc13ead54
XWorm
error
XWorm
+ 42 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:babylonrat family:lockbit family:redline family:sectoprat family:stormkitty family:xworm botnet:cheat botnet:default credential_access defense_evasion discovery execution infostealer persistence ransomware rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250906-fg1zgagr71/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Async RAT payload
Renames multiple (12348) files with added filename extension
AsyncRat
Asyncrat family
Babylon RAT
Babylon RAT payload
Babylonrat family
Contains code to disable Windows Defender
Detect Xworm Payload
Lockbit
Lockbit family
RedLine
RedLine payload
Redline family
Rule to detect Lockbit 3.0 ransomware Windows payload
SectopRAT
SectopRAT payload
Sectoprat family
StormKitty
StormKitty payload
Stormkitty family
Xworm
Xworm family
Malware Config
C2 Extraction:
192.159.99.13:7000
192.159.99.13:8848
192.159.99.13:35361
192.159.99.13:1417
Verdict:
Malicious
Tags:
rat arrowrat asyncrat dcrat venom_rat downloader stealer stormkitty trojan Win.Packed.Razy-9807129-0
YARA:
EXE_VenomRAT_May_2024 MALWARE_Win_ArrowRAT MAL_EXE_DCRat_Jul_08_2 Windows_Generic_Threat_ce98c4bc Windows_Trojan_DCRat_1aeea1ac asyncrat MALWARE_Win_DLAgent10 MALWARE_Win_StormKitty Windows_Generic_Threat_2bb6f41d
Link:
https://app.threat.zone/submission/89db711f-7ae1-4d06-85d3-baaa72474873
Unpacked files
SH256 hash:
af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980
MD5 hash:
409c9b9ee6609092b36b16ad0903a3c5
SHA1 hash:
1b2a6b85eb22763a2fec39dbfbf9e3ff5ddd076b
Detections:
AsyncRAT
Create hunting rule
DiscordRatWebcamGrabber
Create hunting rule
Link:
https://www.unpac.me/results/39aade4a-187f-4aa8-b30f-1c83da252e26/
SH256 hash:
ab47605ffd91925cd3c2637962523122bf4eb73ab8ba48a8097726cad2601a2d
MD5 hash:
1c6ce7519b040a443d31b4d1d0ae8d6d
SHA1 hash:
a6c91f503ebbb157a7de77ceb7c3606bf90980bb
Link:
https://www.unpac.me/results/39aade4a-187f-4aa8-b30f-1c83da252e26/
SH256 hash:
291875f63d57c5b50a0c492e14c681317f03e6d11f464eb144bf9a2ee4c7b3a8
MD5 hash:
9dc9426c8dc330ee98a6979400d6cdb2
SHA1 hash:
32527680deadf92229c5243cba9818a459f20265
Detections:
MALWARE_Win_DLAgent10
Create hunting rule
Link:
https://www.unpac.me/results/39aade4a-187f-4aa8-b30f-1c83da252e26/
Parent samples :
62264839829a6a992474540d1fe15482eff88c709fd8a0d235f44fe52649ef1a
af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980
6261725cc075d343f4a875f0546732d9b9de811efbc5a26bc6fdc62c1d43cf62
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af1abd42b66d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/af1abd42b66dc0ed8e27db626f60c1c57c3e424e67740c8fc537275e30cd2980

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:ffdroider
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked ffdroider stealer malware samples.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many VPN software clients. Observed in infosteslers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
Author:ditekSHen
Description:Detects executables with interest in wireless interface using netsh
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_ArrowRAT
Create hunting rule
Author:ditekSHen
Description:Detects ArrowRAT
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_DLAgent10
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:Mal_WIN_AsyncRat_RAT_PE
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect AsyncRAT implant.
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:venomrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Windows_Generic_Threat_21253888
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_2bb6f41d
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_DCRat_1aeea1ac
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25945/

Comments